In recent weeks, there has been an uptick in news of cyber-related False Claims Act (“FCA”) activity. For example, on September 1, 2023, the court unsealed a qui tam lawsuit against Penn State University relating to allegations of non-compliance with Department of Defense (“DoD”) cybersecurity obligations. Separately, on September 5, 2023, the Department of Justice (“DOJ”) announced a multi-million dollar FCA settlement with Verizon under its Civil-Cyber Fraud Initiative (which focuses on leveraging the FCA to pursue cybersecurity related fraud by government contractors and grant recipients, as we previously discussed here). These and other cases suggest—as many had been speculating—that the number of enforcement actions and publicity associated with previously-sealed qui tam cases will continue to increase. They also signal that contractors and universities should brace for additional scrutiny and potential whistleblower claims in this area.
Whistleblower Allegations Relating to DFARS Cybersecurity Compliance
On September 1, 2023, the U.S. District Court for the Eastern District of Pennsylvania unsealed a qui tam FCA lawsuit (originally filed on October 5, 2022) alleging Penn State University failed to provide “adequate security” for Covered Defense Information (CDI), as contractually required by the DFARS 252.204-7012 clause. Under this clause, “adequate security” is defined as (at least) implementing all 110 controls outlined in NIST SP 800-171. Moreover, federal regulations require DoD contractors to conduct a self-assessment of compliance with those 110 controls and report a compliance score (out of 110) in DoD’s Supplier Performance Risk System (SPRS).
Among other things, the lawsuit alleges Penn State falsified at least 20 documents related to its NIST SP 800-171 self-assessment and other self-attestations. In particular, the lawsuit alleges that despite “never reach[ing] DFARS compliance” the university “had been falsely attesting to compliance since January 1, 2018.” The lawsuit also alleges sensitive information was put at risk when the university migrated some of its data to a commercial cloud-storage service.
The relator in the case served as the interim Chief Information Officer at Penn State’s Applied Research Laboratory in 2015 and was a part of a team assigned to evaluate Penn State University’s compliance in early 2022. The DOJ has not yet intervened and must notify the Court by September 29, 2023 if it intends to intervene in the case.
This FCA whistleblower lawsuit is significant for at least two reasons. First, it reinforces that DoD contractors and subcontractors are easy targets for whistleblowers – especially when they have exceedingly long lists of actions, such as the 110 controls here, for which they regularly attest. As such, it is critical to take steps to ensure that self-attestations and representations are accurate, and that they facilitate a culture of collaboration, transparency, and accountability when it comes to cybersecurity to lower the likelihood that an employee will become a whistleblower. Second, universities and institutes of higher education with government contracts are not shielded from cyber-related FCA claims and must ensure they understand and comply with government cybersecurity regulations.
DOJ Civil-Cyber Fraud Initiative Settlement
On September 5, 2023, the Department of Justice announced its latest cyber-fraud related settlement under the Civil-Cyber Fraud Initiative. Per the settlement agreement, Verizon Business Network Services, LLC (“Verizon”) has agreed to pay $4,091,317 to resolve False Claims Act allegations that it failed to completely satisfy certain cybersecurity controls in connection with an information technology service provided to federal agencies. In particular, the settlement relates to Verizon’s Managed Trusted Internet Protocol Service (MTIPS), which is designed to provide federal agencies with secure connections to the public internet and other external networks. The DOJ alleged that Verizon’s MTIPS solution did not completely satisfy three required cybersecurity controls for Trusted Internet Connections with respect to General Services Administration (“GSA”) contracts from 2017 to 2021.
In resolving the allegations, DOJ explained Verizon received significant credit because Verizon self-disclosed the issue, initiated an independent investigation and compliance review of the issues, and provided supplemental written disclosures. Verizon also cooperated with the government’s investigation and took prompt and substantial remedial measures. The settlement agreement clarifies $2.7M of the settlement amount is restitution, which means approximately $1.3M is due to the Government’s application of a multiplier (under the FCA, the Government can seek up to treble damages, plus certain statutory penalties). Here, the total settlement amount appears to be about 1.5 times the restitution amount. This is fairly common in instances where contractors self-disclose noncompliance, as Verizon did here.
This DOJ settlement highlights the importance of robust contractor compliance systems and a culture that facilitates internal reviews to identify issues, self-disclosure, internal investigations, and cooperation with the government.
Key Takeaways for Federal Contractors and Universities
(Re)Review and Confirm Understanding of Cybersecurity Obligations and Practices. Now is a good time for contractors and universities to reexamine their cybersecurity posture and ensure compliance efforts are well underway, and that any self-attestations and representations are accurate and defensible. Government contractor cybersecurity obligations are complicated and can be confusing – ensure your team has a good understanding of the requirements and, if not, enlist help for training and instruction.
Build a Strong Compliance and Audit/Monitoring Function. Contractors and universities must understand cybersecurity obligations, follow the required standards, and implement strong policies, procedures, and controls.Ongoing/continuous internal reviews are critical to identify and resolve any potential gaps in compliance.
Promptly Investigate Internal Complaints. Internal complaints can be tricky, especially as the compliance landscape with respect to cybersecurity requirements is complex and rapidly evolving in real time. Internal complaints may very well be legitimate. But, it also is possible that employees may not fully understand the company’s true compliance obligations. Companies should take all internal complaints seriously, and also consider hiring counsel and/or independent consultants to ensure the complaints are adequately investigated against the company’s actual compliance obligations and corrections are made as necessary. Additionally, as our colleague David Douglass recently extensively wrote about, respecting employees’ concerns, understanding the concerns and keeping the employee(s) in the loop during internal investigations results in a stronger organization.
Recent Enforcement is Just The Beginning. The focus on this area will not fade any time soon. As such, we expect to see significant increases in enforcement actions (both government-initiated and whistleblower-initiated). If cybersecurity compliance has not been at the top of your list, it is time (and likely past-time) to move it up.
Sheppard Mullin’s Governmental Cybersecurity & Data Protection Team has resources and training materials available. If additional information would be helpful to you, or you have any questions, please contact us.